Monitor DL Ls By Signer
Query
DeviceImageLoadEvents
| where TimeGenerated > ago(90d) //change to 30d if using advanced hunting with no sentinel
| where FileName contains ".dll"
| join kind=leftouter DeviceFileCertificateInfo on $left.SHA1 == $right.SHA1
| where FileName contains ".dll"
| summarize make_set(FileName) by SignerExplanation
This query is designed to analyze device image load events, specifically focusing on DLL files, over the past 90 days (or 30 days if using advanced hunting without Sentinel). Here's a simple breakdown of what it does:
-
Data Source: It starts by looking at the
DeviceImageLoadEventstable, which contains records of files loaded by devices. -
Time Filter: It filters the events to only include those generated in the last 90 days. If you're using advanced hunting without Sentinel, you should change this to 30 days.
-
File Filter: It further narrows down the events to only those where the file name contains ".dll", indicating that the file is a dynamic link library.
-
Join Operation: The query performs a left outer join with the
DeviceFileCertificateInfotable on the SHA1 hash of the files. This means it combines information from both tables based on matching SHA1 values, keeping all records from theDeviceImageLoadEventstable and adding matching records from theDeviceFileCertificateInfotable where available. -
Summarization: Finally, it summarizes the data by grouping the results based on the
Signer(the entity that signed the file) and creates a set of unique DLL file names associated with each signer.
In essence, this query helps identify which DLL files have been loaded on devices, who signed them, and provides a list of unique DLLs for each signer over the specified time period.
Details

Jay Kerai
Released: January 14, 2026
Tables
Keywords
Operators